Ethics... Exoploring Privacy and Confidentiality: Gray Areas

Section
15 Ethics: National
Coalition for Patients Rights

While
there are a variety of beneficial uses of medical records, when one reviews them
all together, it is staggering just how many persons, agencies and interests are
permitted access to and use of patients' private medical records. The public has
become increasingly distrustful of a variety of social institutions, including
government, employers, and insurers, as a result of the exploitation of their
medical records and medical information. This distrust undermines the goals of
providing health care in a number of ways, including less than full candor by
patients to their providers, deliberate deception by patients to providers, and
avoidance strategies, all of which result not only in lower quality health care
for the patients themselves, but in lower quality data in the medical records.
Through the incremental encroachment on and dismantling of the privacy of medical
records over the years, our society has lost respect for the autonomy of each
person to determine for themselves what projects and practices they wish to participate
in. We have traded bit by bit our respect for privacy for the incremental goods
of violating it -- goods that are often as much private and proprietary as they
are public.

The
National Coalition for Patient Rights believes that nothing short of a radical
rethinking of the confidentiality of the medical record and respect for patient
privacy is in order. With the exception of genuine public health investigations,
all secondary interests in accessing the medical record must submit to the sovereignty
of the individual to determine for him or herself what uses of the medical record
are appropriate. This can be accomplished only by means of federal legislation
which sets a legislative floor that guarantees to all citizens a right to the
privacy of their medical information. Following from the discussion in the previous
chapter, we recommend that such legislation should include the following provisions.

Recommendation
1: Medical records should be maintained as confidential and private for the
purpose of the clinical benefits of the patient. Disclosure of medical records
outside the context of clinical care requires the consent of the patient.

Recommendation
2: The right of patients to determine what information in their medical records
is shared with other providers and other institutions and agencies should be recognized
both by law and by institutional policy. Patients who wish not to disclose medical
information to other health care providers that may be important in their medical
care should be counseled about the risks of nondisclosure and sign an acknowledgment
of their being warned.

Recommendation
3: Patient's should have the legal right to review and copy their medical
records. Patient access to medical records should be facilitated by providers,
and charges to patients limited to the cost of copying. Institutions should develop
clear policies and procedures for patients to correct and amend errors in the
medical record. Patients should have the right to review the audit trails of who
have accessed their medical records and for what purposes.

Recommendation
4: Third party payers of medical services should be required to specify in
advance the medical information they require to assess claims and manage medical
care. Public notice should be made to patients of the kinds of medical information
that will be requested from their providers. Physician notes should not routinely
be disclosed to third party payers, and consistent with the Supreme Court's decision
in Jaffe v. Redmond, psychotherapist notes should never be disclosed to third
party payers. Patient consent should be required before medical records are transferred
to or patients are enrolled in disease management programs. Disease management
programs should be based on sound clinical research and arranged through the patient's
own health care provider.

Recommendation
5: Third party payers should be held accountable to the same standards
of privacy and confidentiality as are medical care providers. Third party
payers should be limited in their use of medical records to the terms specified
in the patient consent to release medical records. No disclosure by third party
payers to any other party may be made without the written, freely-given consent
of the patient, i.e., participation in the health plan or other benefits should
not be contingent upon patient consent to further disclosures. Patients of third
party medical payers should have the right to review and copy the medical records
held by these organizations, and to review the logs of who has had access to their
records and for what purposes. Third party payers should establish procedures
for patients to correct errors in their medical information.

Recommendation
6: The psychotherapeutic relationship is of such sensitivity as to require
special recognition as a domain of absolute privacy. Records and notes of
psychotherapy sessions should always remain confidential and third parties should
be prohibited by law from demanding their disclosure for any reason. For reimbursement
purposes, only the minimal amount of information should be disclosed to process
claims.

Recommendation
7: Research involving medical records must either be conducted with the freely
given, informed consent of patients, or with blanket consent which delegates to
a Medical Records Review Board (MRRB) the authority to waive further consent.
The MRRB should be constituted by at least a majority of community members (individuals
not employed by or otherwise affiliated with the institution) in addition to appropriate
scientific, medical and allied health personnel and administered by the Medical
Records Trustee. MRRB decisions not to grant a waiver of informed consent should
be final. The MRRB should insure that the confidentiality of patient information
is protected as it passes through a research protocol, that the information is
not used for other purposes without explicit MRRB approval, and that the purposes
of research will not be reasonably objectionable to the patient populations involved.

Recommendation
8: All health services research that relies on personal medical information
should be reviewed, approved, and overseen by an institutional Medical Records
Review Board, with the Medical Records Trustee being the main point of contact
for both patients seeking information about these research/evaluation projects,
and for those people conducting the research and/or evaluation projects.

Recommendation
9: Each clinical institution maintaining medical records has the responsibility
to safeguard their confidentiality by minimizing access to medical records to
those individuals whose "need to know" is of clinical benefit to the
patient or is otherwise consented to by the patient. Institutions should employ
encryption schemes and password protection, and log each access to or modification
of the medical record (e.g., computerized audit trails). Institutions should develop
auditing programs to ensure that access to and use of medical records is appropriate
and take appropriate punitive measures when it is not. Patients should have the
right to limit access to particularly sensitive information.

Recommendation
10: Each health care institution maintaining medical records or medical information
should designate a "Medical Records Trustee" responsible for promulgating
and enforcing institutional confidentiality and privacy policies, and ensuring
compliance with the law. The Medical Records Trustee shall be the final responsible
authority for granting any and all access to medical records and information within
the institution. The Medical Records Trustee should also be responsible for making
notification to patients and the general public of the institution's policies
for protecting patient privacy and confidentiality of their medical records.

Recommendation
11: Public health investigations in which an imminent danger to the health
of individuals or communities is at stake, should be permitted to access private
medical records as necessary and as provided for under current law. The consent
of patients is not necessary, but patients should be notified by their providers
that their records may be opened to public health authorities. When providers
make legally mandated disclosures to public health authorities, they should be
required to inform the patient of this requirement at the time the condition is
discovered.

Recommendation
12: In general, employers should not have access to clinical medical records.
These records should be segregated from all other personnel-related information,
and be used only in the benefits determination process (and only where the employer
is a self-insurer). Employers should be barred from using this information for
employment, promotion and other personnel decisions, and provide notification
to all employees and prospective employees of what information they collect and
for what purposes. Employers with access to medical records should be barred from
disclosing this information to other parties, and should maintain audit trails
of who has accessed the records and for what purposes, and made available to the
employees.

Recommendation
13: Health care institutions maintaining medical records should notify the
public and patients individually of the offices and functions which have access
to their medical records. Institutions should also prominently display their policies
on maintaining confidentiality of medical records. The name, address, and phone
number of the Medical Records Trustee should be provided to all patients.

Recommendation
14: Proposals to create systems designed to link private medical information
or otherwise collate medical record information, such as the Unique Patient Identifier
or the Master Patient Index, should not be implemented without explicit patient
informed consent. Patients should always have the freedom to determine for themselves
what medical information may be collated together and for what purposes.

Recommendation
15: Law enforcement access to medical records should be limited to court order.
When records are thus obtained, they should contain only the minimal amount of
information necessary to fulfill the purpose for which they were sought. Moreover,
law enforcement officials should maintain the confidentiality of the information
they obtain and should only allow the least number of people access as is absolutely
necessary. Under no circumstances should personal medical records become part
of an open court record, where the patients are not parties to the court proceeding.
In the limited case of health care fraud investigations, anonymous records should
be used to assess patterns of fraudulent billing, with identified information
used only where specific instances of fraud are suspected.